OpenBGPd + TCP-MD5 sig fails after a few weeks

Antoine Beaupré anarcat at koumbit.org
Wed Nov 27 18:12:42 UTC 2013 

On 2013-11-27 05:58:12, Ermal Luçi wrote:
> You can use the port here
> https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/openbgpd
> It has integration with pfkey sockets of FreeBSD in the daemon itself and
> you have to specify only th espd policy through setkey.
>
> It works for pfSense.

While it seems to bootstrap properly, it still fails to isntall a
security association, in my bgpd.conf:

        tcp md5sig password "[...]"

Startup log:

root at rtr0:/usr/home/anarcat # bgpd -d
startup
rereading config
route decision engine ready
session engine ready
RDE reconfigured
listening on 0.0.0.0
listening on ::
SE reconfigured
neighbor 199.58.81.1 (rtr1): state change None -> Idle, reason: None
neighbor 38.104.152.101 (Cogent): state change None -> Idle, reason:
None
neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start
pfkey: Invalid argument
neighbor 38.104.152.101 (Cogent): pfkey setup failed
neighbor 199.58.81.1 (rtr1): state change Connect -> Active, reason:
Connection open failed
^Cneighbor 199.58.81.1 (rtr1): state change Active -> Idle, reason: Stop
kernel routing table 0 (Loc-RIB) decoupled
pfkey: Invalid argument
route decision engine exiting
session engine exiting
Terminating

What do I need to set with setkey?

It seems to send the wrong password to the other side:

13:06:33.455309 IP (tos 0x0, ttl 255, id 18405, offset 0, flags [DF], proto TCP (6), length 68, bad cksum 0 (->b632)!)
    38.104.152.102.179 > 38.104.152.101.44659: Flags [S.], cksum 0xe57b (correct), seq 2310073167, ack 669413589, win 65535, options [mss 1436,nop,wscale 6,nop,nop,md5invalid], length 0

After removing the tcpsig from my config, things work again because the
other side is initiating the connexion... But connexions initiated from
our side are not properly signed.

also, I have another bgpd that i want to setup an iBGP session with, and
this one loops to death:

neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start
neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: Connection opened
neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason: OPEN message received
neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, reason: KEEPALIVE message received
neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping routes
neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason: Connection closed
neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start
neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: Connection opened
neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason: OPEN message received
neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, reason: KEEPALIVE message received
neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping routes
neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason: Connection closed

... etc. After restarting the other daemon, it seems to work properly,
but that was really scary...

neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason: Connection opened
neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason: OPEN message received
neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established, reason: KEEPALIVE message received

a.

-- 
Freedom is being able to make decisions that affect mainly you. Power
is being able to make decisions that affect others more than you. If
we confuse power with freedom, we will fail to uphold real freedom.
                        - Richard Stallman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20131127/9473c8fe/attachment.sig>

More information about the freebsd-net mailing list